GAP ANALYSIS OF NEW YORK LAW AND RECOMMENDATIONS REGARDING IMPLEMENTATION OF ELECTRONIC HEALTH RECORDS HEALTH LAW COMMITTEE DECEMBER 2013

GAP ANALYSIS OF NEW YORK LAW AND RECOMMENDATIONS REGARDING IMPLEMENTATION OF ELECTRONIC HEALTH RECORDS IN HEALTH INFORMATION EXCHANGES HEALTH LAW COMMITTEE DECEMBER 2013 THE ASSOCIATION OF THE BAR OF THE CITY OF NEW YORK 42 West 44 th Street, New York, NY 10036-6689 www.nycbar.org

Contact: Maria Cilenti - Director of Legislative Affairs - mcilenti@nycbar.org - (212) 382-6655 TABLE OF CONTENTS I. INTRODUCTION... 1 Executive Summary... 1 Premise of Paper... 2 Key Background... 5 HIPAA is Not a Cure-All... 5 Technological Capabilities... 5 II. ELECTRONIC HEALTH RECORDS OF MINORS... 6 Issue 1: New York law needs clarification regarding the statutory restrictions of Public Health Law Section 17 and the utilization of a RHIO in the transmission of a minor's venereal disease and abortion-related medical records.... 6 Gap Analysis... 6 Current New York Law... 6 Example of Issue Presented by Gap in Law... 7 III. HIV/AIDS INFORMATION... 7 Issue 2: New York law needs clarification regarding the statutory prohibitions of Public Health Law Article 27-F regarding disclosure and redisclosure of HIV/AIDS -related medical information and the transmission of such information through a RHIO.... 7 Gap Analysis... 7 Current New York Law... 8 Example of Issue Presented by Gap in Law... 9 IV. SUBSTANCE ABUSE RECORDS... 10 Issue 3: New York law needs clarification regarding the application of Public Health Law Section 18 and the requirements of 42 CFR Part 2 to the transmission of alcohol and drug abuse patient records through a RHIO.... 10 Gap Analysis... 10 Current Applicable Law... 10 Example of Issue Presented by Gap in Law... 12 V. MENTAL HEALTH INFORMATION... 13 Issue 4: New York law needs clarification regarding restrictions on disclosure of mental health records found in Mental Hygiene Law Sections 13.13 and 13.16 and the transmission of such records to and through a RHIO.... 13 Gap Analysis... 13 Current Applicable Law... 13 HIPAA Protections for Psychotherapy Notes... 14 Example of Issue Presented by Gap in Law... 15 THE ASSOCIATION OF THE BAR OF THE CITY OF NEW YORK 42 West 44 th Street, New York, NY 10036-6689 www.nycbar.org

VI. GENETIC INFORMATION... 16 Issue 5: New York law needs clarification regarding the application of New York Civil Rights Law 79-L and the transmission of records of genetic tests.... 16 Gap Analysis... 16 Current New York Law... 16 Example of Issue Presented by Gap in Law... 17 VII. ABORTION RECORDS... 17 Issue 6: New York Law needs clarification regarding the utilization of RHIOs in the transmission of abortion records in light of patients statutory right to specifically consent to disclosure of abortion records.... 17 Gap Analysis... 17 Current New York Law... 17 Example of Issue Presented by Gap in Law... 18 VIII. TYPES OF DISCLOSURE... 18 Issue 7: Uploading Patient Information to RHIOs by Providers... 18 Gap Analysis... 18 Current New York Law... 19 Example of Issue Presented by Gap in Law... 21 Issue 8: The ability of and procedures for RHIOs to respond to judicial and administrative proceedings is unclear.... 21 Gap Analysis... 21 Current New York Law... 21 Example of Issue Presented by Gap in Law... 23 IX. LEGAL RECOMMENDATIONS... 23 Need for Legislative Action and Not Regulatory... 24 Licensure Regime... 24 Consent to Uploading Medical Records to the RHIO... 25 ii

Contact: Maria Cilenti - Director of Legislative Affairs - mcilenti@nycbar.org - (212) 382-6655 I. INTRODUCTION Executive Summary The importance of electronic medical records and the use of intermediate entities such as a regional health information organization ( RHIO ) is growing in both New York as well as nationally. The adoption of electronic medical records must be balanced with the protection of privacy and security of those records. The state of current New York privacy law presents two overarching challenges: 1) the patchwork nature of the law applicable to the use and disclosure medical records in the context of electronic records; and 2) the fact that many such statutes were written at a time when the current expansive use and sharing of electronic medical records was not contemplated. As a result, clarification is needed with respect to the application of New York privacy law as is applies to uploading and downloading electronic medical records to and from a RHIO the following areas: Transmission of a minor's venereal disease and abortion-related medical records; Minor s medical records; HIV/AIDS information; Alcohol and drug abuse records; Mental health records; Consent for Genetic Testing; Access to medical records during an emergency; Abortion records; and Response to judicial and administrative proceedings As described in Section IX of this report, Legal Recommendations, we recommend that a new unifying statutory regime apply specifically to health information exchanges that go through a licensing process. A Licensed Health Information Exchange would have to maintain to certain set standards that would ensure the privacy and security of a patient s information. Such unifying statutory regime would make clear THE ASSOCIATION OF THE BAR OF THE CITY OF NEW YORK 42 West 44 th Street, New York, NY 10036-6689 www.nycbar.org

that uploading to or downloading from a Licensed Health Information Exchange would not violate New York law if done pursuant to its privacy standards. We further recommend requiring a patient s consent to upload his or her medical record to a RHIO. Premise of Paper What is an electronic health record? There is no definition in New York law. The Health Information Technology Act of 2009 (the HITECH Act ) defines it as follows: The term electronic health record means an electronic record of health-related information on an individual that is created, gathered, managed, and consulted by authorized health care clinicians and staff. 1 The use of electronic health records is ever growing. The HITECH Act itself allocated $19 billion to encourage physicians and hospitals to adopt electronic health records. The ability to create and save health records in electronic format may not only advance quality in healthcare delivery but may also reduce expenses that would otherwise be incurred in maintaining and transferring paper health records. It should be recognized, however, that storing vast amounts of private healthcare information electronically carries the risk of possible negative consequences as well. For example, if there is a security breach the person who gains unauthorized access to health records in electronic format will have access to sensitive health information of potentially millions of patients on one laptop or thumbdrive. A healthcare provider could transmit millions of electronic health records to a third party inadvertently or based on a misinterpretation of the law. In either case, the healthcare provider would have millions of violations of applicable privacy law at the press of a button. The increased use of electronic health records has inspired various exchange models through which records may be shared between healthcare providers. The goal is for various healthcare providers to access a given patient s information through such electronic exchange. There are some models that do not require detailed patient encounter information to be housed by the exchange, such as the Common Framework advanced by the Markle Foundation. 2 The privacy concerns surrounding the transfer of patient information is lessened in these situations as a request for specific information may be made from a requesting healthcare provider and the disclosing healthcare provider can then tailor his or her disclosure to take into consideration the federal and state privacy law requirements. 1 Section 13400(5) of the Health Information Technology for Economic and Clinical Health (HITECH) Act, Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. No. 111-5 (Feb. 17, 2009). 2 In the Markle Foundation s Common Framework a patient record locator is utilized by the requesting healthcare provider who locates the other healthcare providers who hold the sought after patient information. The patient information is then passed directly from one of the patient s healthcare providers to another, without the use of an intermediate entity, such as a regional health information organization. For more information on the Common Framework see http://www.markle.org/health/markle-commonframework (last visited December 4, 2013). 2

Another model used to exchange electronic health records involves housing large amount of patient encounter data. In this model one healthcare provider uploads patient health information to the exchange. A second healthcare provider is then able to download that patient information. Another term for such an exchange that is most commonly used in New York State is a regional health information organization. A RHIO is a separately incorporated, not-for-profit entity. The use of a RHIO adds a layer of complexity to the exchange of healthcare information as health information is no longer being exchanged directly between healthcare providers, nor is the disclosure from the first healthcare provider tailored based on a request from another healthcare provider. Instead, the entire electronic health record of a patient may be uploaded to or download from a RHIO. Moreover, it is our understanding that current technology does not allow for the segregation of data within a specific medical record downloaded from a RHIO. This presents several challenges to a healthcare provider who seeks to be compliant with all applicable privacy laws, as certain New York State law is not clear as applied to electronic health records. Several of the current State privacy laws were written at a time when the idea of being able to store and transfer vast amounts of patient information in digital form was not contemplated. Thus, there is a patchwork of New York laws that are implicated when patient information is uploaded to or downloaded from a RHIO. The application of this legal patchwork in practice is not clear. One important issue to note is that the current state of technology does not allow for segregation of data within an electronic health record uploaded to or downloaded from a RHIO. For example, when a cardiologist downloads an electronic health record from a RHIO such electronic health record will contain all of the patient's health information including such information that may not be necessary to achieve the treatment goals of the cardiologist (e.g., podiatry results, mental health records, a record of an abortion that occurred 10 years ago, etc.). As a result of the current patchwork of laws as well as the current state of technology, some providers in the State have either curtailed, delayed or reduced their participation in electronic health record storage and transfer via a RHIO. This runs counter to the State s interests as the use of RHIOs has great potential for reducing healthcare costs across the State and increasing the quality healthcare delivery. The New York ehealth Collaborative is a public-private partnership with the New York State Department of Health. In April 2011 the New York ehealth Collaborative released the Statewide Collaboration Process Privacy and Security Policies and Procedures for RHIOs and their Participants in New York State Version 2.2 (the SCP Policies and Procedures ). The SCP Policies and Procedures seek to govern the exchange of health information through the Statewide Health Information Network for 3

New York ( SHIN-NY ) facilitated by regional health information organizations in the State. 3 As RHIOs exist in New York State through, in whole or in part, governmental funding, it is our understanding that each currently existing RHIO in the State must operate according to the SCP Policies and Procedures in order to receive such funding. As mentioned earlier, there is a patchwork of statutes that govern the various aspects of the exchange of electronic health records. There are no regulations promulgated under these statutes that address how information is to be uploaded, stored and downloaded from a RHIO. The SCP Policies and Procedures, while not created through the normal regulatory process, seek to fill this regulatory void and attempt to weave together a set of rules to protect the privacy of New Yorkers health information while allowing RHIOs to exist, collect and dispense that health information for the betterment of healthcare in the State. For example, with limited exceptions, SCP Policies and Procedures require patient consent before health information can be downloaded from a RHIO to a requesting party. That said, however, there are fundamental gaps in the underlying statutes that still need to be addressed. While the SCP Policies and Procedures govern the actions of the RHIOs and their subcontractors, those policies and procedures do not govern (or provide immunity for) the actions of healthcare providers who utilize the RHIOs. Some healthcare providers are hesitant to participate in RHIOs where the underlying laws have interpretive ambiguities. For example, the current interpretation of the Department of Health is that no patient authorization is required for a health-care practitioner to upload a patient's healthcare information to a RHIO. One fundamental question is whether uploading to a RHIO, a separately incorporated not-for-profit entity, is deemed a disclosure by a healthcare provider. This distinction is important as a disclosure of patient information triggers many of the patient privacy protection laws. As discussed more fully in Section VIII, Types of Disclosure, New York Public Health Law Section 18 (6) provides certain restrictions around the disclosure of patient information to third parties. As discussed more fully in the Types of Disclosure section, the current law is not clear as to how these restrictions apply to uploading patient information to a RHIO. The purpose of this paper is to explore some of gaps in the current law and suggest certain actions that may be taken to clarify the legal framework around electronic health records in the State of New York. Each section states an issue, a gap analysis regarding that issue, a description of current New York law regarding the issue, and an example of the issue presented by the gap in the law. Our recommendations are contained in Section IX at the end of this paper. 3 For a complete overview of the organizational infrastructure involving the health information technology initiative operates in New York State see http://www.health.ny.gov/technology/infrastructure (last visited on December 4, 2013). 4

Key Background HIPAA is Not a Cure-All It should be noted that the Health Insurance Portability and Accountability Act of 1996, as amended, ( HIPAA ) 4 provides privacy and security protections for individuals health information. However, to the extent that a state law applicable to the privacy or security of health information is more stringent than HIPAA, such state law would govern. This paper focuses on the New York state laws that are not preempted by HIPAA, and therefore are relevant to the analysis of health information privacy protections. Technological Capabilities Another important fact underlying this paper is that, due to current technological constraints, RHIOs cannot segregate information in patients electronic medical records. 5 Therefore, all of the information that has been uploaded to the RHIO could be viewed by the provider who subsequently accesses the patient s medical record in the RHIO. For example, a patient cannot allow a dermatologist to view only the portions of his/her medical record that pertain to dermatological issues. Once a patient grants the dermatologist access to his/her medical record through the RHIO, that dermatologist will have access to all of the patient s records that have been entered in the RHIO. This technological limitation presents several privacy concerns that are fundamental to the analysis in this paper. Finally, it must be stated that the general rule under the SCP Policies and Procedures is that a patient s consent is not required at the point of uploading the patient s information to the RHIO. Rather, the patient s consent is required at the point of download. 6 This paper assumes that a RHIO is following the SCP Policies and Procedures, and therefore, is not requiring patient consent to upload the medical records. 4 The Health Insurance Portability and Accountability Act of 1996, as amended, and its implementing regulations, 45 CFR Parts 160, 162 and 164. 5 While we understand that technology to segregate data may have been developed in sectors such as national security or banking, at the time of the writing of this paper we are unaware of a NYS RHIO currently using such technology. We understand that the technology currently being employed does not have the required capability to segregated data in a manner that would allow for easy compliance with New York privacy laws. Further discussion of such technology is beyond the scope of this paper. 6 See Section 1.1 of the SCP Policies and Procedures. 5

II. ELECTRONIC HEALTH RECORDS OF MINORS Issue 1: New York law needs clarification regarding the statutory restrictions of Public Health Law Section 17 and the utilization of a RHIO in the transmission of a minor's venereal disease and abortion-related medical records. Gap Analysis Section 17 of the PHL prohibits medical records relating to the treatment of a minor for venereal disease or abortion from being disclosed to the minor s parent. However, New York State law is not clear on whether or how such information must be segregated from the minor s medical record. Therefore, if a treating provider uploads a minor s medical record containing information regarding treatment for venereal disease or abortion to a RHIO, and that information is not isolated from the rest of the medical record, it is possible that such health information may subsequently be disclosed to the parent if the parent requests a copy of the minor s entire medical record. This situation could lead to a violation of a minor s privacy rights under Section 17 of the PHL. It should be noted that the SCP Policies and Procedures state that the medical records for a minor under the age of ten can be uploaded to the RHIO without the patient s consent, and that a provider must seek the consent of a minor over the age of ten prior to downloading his/her records to a RHIO. 7 If a minor over the age of ten consents to the download of his/her medical record to the RHIO, the minor may not realize that such information cannot be segregated from the rest of his/her medical record, and therefore, that his/her parent could gain access to this information if the parent obtains the patient s entire medical record through the RHIO. Current New York Law With respect to disclosures of venereal disease diagnosis and information, HIPAA does not distinguish between adults and minors. Therefore, to the extent that state law has more restrictive requirements with respect to medical records of people of certain ages, such state law would not be preempted by HIPAA. Section 17 of the New York Public Health Law sets forth the general rule in New York with respect to the release and disclosure of medical records. Section 17 states that upon the written request of any patient, guardian, conservator, or other relevant individuals, a treating healthcare provider must release all medical records, laboratory tests records and x-rays. 8 However, Section 17 contains a specific exception with respect to certain medical information pertaining to patients who are under the age of 18, and 7 See Section 1.5 of the SCP Policies and Procedures. 8 N.Y. PUB. HEALTH LAW 17. 6

therefore considered minors. 9 Section 17 of the Public Health Law prohibits medical records concerning the treatment of a minor for venereal disease (also referred to as sexually transmitted infections ) or abortion from being released or made available to the parent or guardian of such minor patient. Example of Issue Presented by Gap in Law A 16-year old girl has an abortion. Her doctor notes the abortion in the girls medical record, but in accordance with PHL Section 17 does not disclose the abortion to the girl s parents. Doctor later uploads the girl s medical record to a RHIO. A year later, the girl is involved in a car accident. She subsequently seeks treatment for abdominal issues resulting from the car accident. She consents to the downloading of her medical record from the RHIO, not realizing the medical record contains the abortion information. The doctor who is treating her for the abdominal issues notes the prior abortion in his record. In connection with an insurance claim relating to the car accident, the mother requests a copy of the medical record from the doctor who treated her daughter for the abdominal issues. The girl consents to the release of the medical record to her mother without understanding that the copy of the medical record contains information about her prior treatment for the abortion. The question becomes whether this disclosure of the minor s medical treatment for an abortion is a violation of the child s privacy rights under Section 17. III. HIV/AIDS INFORMATION Issue 2: New York law needs clarification regarding the statutory prohibitions of Public Health Law Article 27-F regarding disclosure and redisclosure of HIV/AIDS - related medical information and the transmission of such information through a RHIO. Gap Analysis It is our understanding that RHIOs are currently unable to segregate certain types of information, such as HIV/AIDS status. Therefore, until such information can be segregated, individuals who wish to maintain the confidentiality of their HIV/AIDS status will be forced to choose whether to allow their HIV/AIDS information to be disclosed along with their other medical information, or to allow none of their medical information to be disclosed. The gap in the law that creates an all or nothing approach for people with HIV/AIDS seems to undermine the statutory intent of providing these individuals with enhanced confidentiality so as to prevent discrimination. 9 The definition of a minor in New York State, which is referred to as an infant in the statutes, can be found at the Section 105(j) of the New York Civil Practice Law and Rules. 7

New York State law is not clear as to whether and how the restrictions on disclosure and redisclosure of a person s HIV and/or AIDS-related medical information would function in the RHIO context. As the RHIO is not itself a healthcare provider, this creates ambiguity as to how the permissible disclosures and prohibited disclosures would apply to the RHIO. For example, who at the RHIO determines which disclosures of HIV/AIDS information can be made, and whether such disclosures must be accompanied by the statutorily required language. Current New York Law In New York, medical information pertaining to an individual s HIV and/or AIDS status is subject to confidentiality and nondisclosure requirements that are significantly more restrictive than the protections afforded to other medical information. The New York State Legislature has recognized that maximum confidentiality protection for information relating to HIV and AIDS is an essential public health measure and that [b]y providing additional protection of the confidentiality of HIV related information, the legislature intends to encourage the expansion of voluntary confidential testing for [HIV] so that individuals may come forward, learn their health status, make decisions regarding the appropriate treatment, and change the behavior that puts them and other at risk of infection. 10 The Legislature also noted that enhanced confidentiality protections for HIV-related information will likely reduce the risk of discrimination against individuals affected by HIV. 11 Accordingly, the Legislature enacted Article 27-F of the New York Public Health Law, which provides for enhanced protection of HIV and AIDS related information. The general rule under Article 27-F is that no person or entity that obtains HIV/AIDS related information in the course of providing any health or social service, or pursuant to a release of confidential HIV/AIDS related information, may disclose or be compelled to disclose such HIV/AIDS related information. 12 The exceptions to this rule are strictly and specifically limited. 13 New York State law is also more restrictive when it comes to the redisclosure of HIV/AIDS information versus medical information in general. Under Article 27-F, any person or entity to whom HIV related information has been disclosed shall not redisclose such information, unless one of the conditions for the original disclosure (set forth above) is met, or unless the disclosure is to an individual that falls within one of the five explicit categories enumerated under the law. 14 10 Laws 1988, ch 584, 1. 11 Laws 1988, ch 584, 1. 12 N.Y. PUB. HEALTH LAW 2782 and 10 N.Y.C.R.R. 63.6. Note that the regulations promulgated pursuant to Article 27-F are located at 10 N.Y.C.R.R. 63 et. seq. 13 N.Y. PUB. HEALTH LAW 2782(1)(a) and 10 N.Y.C.R.R. 63.6. 14 N.Y. PUB. HEALTH LAW 2782(3). 8

Furthermore, the redisclosure of HIV/AIDS related information must be accompanied by the confidentiality notice that further disclosure is proscribed by law, except in connection with disclosures to the Protected Individual and most disclosures made by physicians: This information has been disclosed to you from confidential records which are protected by state law. State law prohibits you from making any further disclosure of this information without the specific written consent of the person to whom it pertains, or as otherwise permitted by law. Any unauthorized further disclosure in violation of state law may result in a fine or jail sentence or both. A general authorization for the release of medical or other information is NOT sufficient authorization for further disclosure. 15 The redisclosure requirements under Article 27-F are more stringent than HIPAA because HIPAA does not have the same restrictions on redisclosure, and HIPAA does not require specific language to accompany disclosure of PHI. New York State law is also more stringent with respect to the language that must be in an authorization to release HIV/AIDS information form, and neither a general authorization for release of information, nor a general HIPAA authorization for release of medical information is sufficient for the release of confidential HIV/AIDS information. Disclosures of confidential HIV/AIDS information require specific reference to HIV/AIDS information in the authorization form. 16 With limited exceptions, all disclosure of confidential HIV/AIDS related information must be noted in the medical record. However, disclosures made to healthcare providers and facilities that are authorized to receive such information do not need to be documented. 17 Example of Issue Presented by Gap in Law A person with HIV is having pain in his lower back, and so he goes to see a podiatrist to determine whether he can obtain orthotic shoe inserts to prevent the back pain. The podiatrist seeks the patient s consent to download his medical history from the RHIO because the podiatrist would like to see if there are any prior injuries or issues involving the back, legs, hips, etc. that may be relevant to his diagnosis. The patient does not want the podiatrist to know that he has HIV, but he is worried that he might be 15 N.Y. PUB. HEALTH LAW 2782(5). The applicable regulations require similar, but not identical language to accompany any disclosure. See 10 N.Y.C.R.R. 63.5(b). 16 10 N.Y.C.R.R. 63.5(a). 17 See 10 N.Y.C.R.R. 63.7(b). 9

compromising the podiatrist s analysis if he does not agree to the downloading of his medical records. Due to the fact that the law does not require RHIOs to have the capability to segregate information in accordance with the more stringent privacy laws, this patient will be forced to either disclose his HIV status, or refuse to allow his medical history to be reviewed by the podiatrist. IV. SUBSTANCE ABUSE RECORDS Issue 3: New York law needs clarification regarding the application of Public Health Law Section 18, Section 33 of the Mental Hygiene Law and the requirements of 42 CFR Part 2 to the transmission of alcohol and drug abuse patient records through a RHIO. Gap Analysis Federal regulations set forth specific requirements for the use and disclosure of alcohol and drug abuse patient records that are maintained by or in connection with a federally-assisted substance abuse treatment program. New York Public Health Law Section 18(3)(i) requires the protection of health information pursuant to federal as well as state law. The upload and download of substance abuse information must, therefore, comply with federal law (42 CFR Part 2) in order to be compliant with state law. It should be noted that the disclosure of substance abuse records that are part of a clinical record and subject the provisions of New York Mental Hygiene Law Section 33.13 are protected under that statute. Therefore a disclosure of such clinical record must comply with the disclosure requirements under Mental Hygiene Law Section 33.13. A gap analysis with respect to records protected under the Mental Hygiene Law can be found at Section V of this paper. The disclosure of substance abuse records that are incorporated into a medical record which is subject to the provisions of Section 18 of the Public Health Law are protected under that statute. In all cases, however, disclosure of substance abuse records must comply with 42 CFR Part 2. The below discusses how uploading patient records to a RHIO without patient consent interplays with the requirements of 42 CFR Part 2. Current Applicable Law The statutory and regulatory protections pursuant to 42 USC 290dd-2 and 42 CFR Part 2 ( Part 2 ) "impose restrictions upon the disclosure and use of alcohol and drug abuse patient records which are maintained in connection with the performance of any federally assisted alcohol and drug abuse program" 18 (the Part 2 Records ). While HIPAA allows for the disclosure of protected health information without patient consent for the purposes of treatment, payment, or health care operations, 42 USC 290dd-2 and 42 CFR Part 2 do not have the same exceptions but rather require a written 18 42 CFR 2.3. 10

patient consent for the disclosure of alcohol and drug abuse patient records regardless of the purpose of the disclosure. 19 The governmental agency that administers 42 CFR Part 2 is the Substance Abuse and Mental Health Services Administration ("SAMHSA"). SAMHSA has made it clear that there are only two ways that a Part 2 Record may be permissibly uploaded to a RHIO: 1. The patient who is the subject of the Part 2 Record signs a consent form that contains all of the required elements listed in 42 CFR 2.31 authorizing the Part 2 program 20 to disclose the information to the RHIO, or 2. There is a Qualified Service Organization Agreement (a QSOA ) 21 in place between a Part 2 program and the RHIO. 22 SAMHSA has further provided that even if patient consent is not required by a RHIO for any other information to be uploaded to a RHIO, 42 CFR Part 2 still requires either a patient consent for a Part 2 Record to be uploaded to a RHIO or for a QSOA to be in place with the RHIO. 23 The RHIO may not then redisclose the Part 2 Records to anyone else including to any other participant in the RHIO unless and until the patient has consented to that disclosure using a Part 2-compliant consent form. 24 Currently, under the SCP Policies and Procedures there is no requirement that a patient consent be obtained before a Part 2 Record is uploaded to a RHIO. To that end, it should be noted that the SCP Policies and Procedures state that there are legal risks in exchanging substance abuse treatment information based on its consent policies: 19 42 USC 290 dd-2(b)(1) and 42 CFR 2.3, 2.12, 2.13. 20 A Part 2 program means:(a) An individual or entity (other than a general medical care facility) who holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment; or (b) An identified unit within a general medical facility which holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment or referral for treatment; or(c) Medical personnel or other staff in a general medical care facility whose primary function is the provision of alcohol or drug abuse diagnosis, treatment or referral for treatment and who are identified as such providers. (42 CFR 2.11) 21 A Qualified Service Organization Agreement is an agreement that must meet the requirements described in 42 CFR 2.11 under the second paragraph of the definition of a Qualified Service Organization. 22 See the SAMHSA FAQs, answer to Question 7; SAMHSA s FAQs can be found at http://www.samhsa.gov/healthprivacy/docs/ehr-faqs.pdf (lasted visited December 4, 2013) 23 See the SAMHSA FAQs, answer to Question 9 (emphasis added); SAMHSA s FAQs can be found at http://www.samhsa.gov/healthprivacy/docs/ehr-faqs.pdf (lasted visited December 4, 2013); See also the additional FAQs at http://www.integration.samhsa.gov/financing/samhsa_42cfrpart2faqii_-1-,_pdf.pdf (last visited December 4, 2013). 24 Id. 11

The disclosure of records of federally-assisted alcohol and drug abuse programs is governed by federal regulations. 42 C.F.R. Part 2. While the State believes that policies set forth herein, including use of the Approved Patient Consent Form, are consistent with the regulations consent requirements, the State does not have authority to interpret these regulations. SAMHSA, which is vested with such authority, has not yet provided clear guidance on this issue. Thus, RHIOs must individually assess the legal risk of exchanging substance abuse treatment information based on the affirmative consent policies set forth herein. 25 Moreover, redisclosure of a Part 2 Record requires a further express written patient authorization. 26 Any disclosure of a Part 2 Record must be accompanied by a notice that states such further express written patient consent is needed to redisclose the information. It is not clear how this is accomplished when information is downloaded from a RHIO. Finally, it should be noted that the New York statutory definition of mental disability includes alcoholism, substance dependence, and chemical dependence. Therefore, even if a clinical record regarding drug and alcohol treatment is not subject to 42 CFR Part 2, it would still be subject to the confidentiality and disclosure requirements under the New York Mental Hygiene Law. 27 The implication of uploading to and downloading from a RHIO of mental health information is discussed below in Section V of this report. Example of Issue Presented by Gap in Law Patient A has been in treatment for substance abuse at Clinic X and was prescribed certain medicines to help him with chemical dependency by psychiatrists employed by Clinic X. Clinic X is bound by Federal law, per SAMHSA guidance, to obtain a consent from Patient A before it uploads Patient A s information to RHIO. Clinic X does not upload information to any RHIO due to ambiguity in New York law with respect to federal requirements. Patient A is treated by an emergency room doctor who accesses Patient A s records from RHIO but as Clinic X has not uploaded Patient A s information the doctor is unaware of the chemical dependency medication. Patient A is either incapacitated or embarrassed to discuss his chemical dependency with ER doctor. The benefits that could be gained by clarifying New York law on this point are clear. In this case, if Clinic X were comfortable with the interaction of Federal and State 25 See footnote 2 of the SCP Policies and Procedures. 26 42 CFR 2.32. See also, Question 6 of SAMHSA s 2011 FAQs at http://www.integration.samhsa.gov/financing/samhsa_42cfrpart2faqii_-1-,_pdf.pdf (last visited December 4, 2013). 27 See Mental Hygiene Law 1.0. 12

law and had uploaded Patient A s information to the RHIO then the ER physician would have had more complete information with which to diagnosis and treat Patient A. There is a risk that ER doctor may prescribe a course of treatment that is contraindicated for a patient with chemical dependency or who is on the medication. V. MENTAL HEALTH INFORMATION Issue 4: New York law needs clarification regarding restrictions on disclosure of mental health records found in Mental Hygiene Law Sections 13.13 and 13.16 and the transmission of such records to and through a RHIO. Gap Analysis New York law imposes restrictions on the disclosure of mental health records above and beyond the restrictions applicable to general health information. As discussed more fully below, the law is currently unclear as to how RHIOs account for these additional requirements with respect to mental health records: 1. How does a disclosing healthcare provider know if the download of mental health information from a RHIO is based on a demonstrable need for such information, as required by law? 2. How can a disclosing healthcare provider make the legally required determination that a disclosure of requested mental health information may be detrimental to a patient if such healthcare provider has no control over what is disclosed and to whom? 3. How can a disclosing healthcare provider limit the information downloaded to the information necessary in light of the reason for the disclosure as required by law, if that healthcare provider does not have any control of what is disclosed from the RHIO or to whom? Current Applicable Law New York Mental Hygiene Law 33.13(c)(7) states that clinical records can be disclosed "with the consent of the patient to persons and entities who have a demonstrable need for such information and who have obtained such consent, provided that disclosure will not reasonably be expected to be detrimental to the patient, client or another provided, however, that release of such information to a patient or client shall not be governed by the subdivision." 28 It should be noted that there are limited circumstances under which a clinical record may be disclosed without patient consent; however, none of them would seem to apply to the uploading to or downloading from a RHIO. 29 28 New York Mental Hygiene Law 33.13(c)(7) (emphasis added). 29 Per Mental Hygiene Law 33.13(d) the following are considered providers for treatment purposes without patient consent: (i) All programs that are licensed or operated by the Office of Mental Health 13

Moreover, Mental Hygiene Law 33.16 (c) (3) states: "If, after consideration of all the attendant facts and circumstances, the practitioner or treating practitioner determines that the requested review of all or part of the clinical record can reasonably be expected to cause substantial and identifiable harm to the patient or client or others, or would have detrimental effect as defined in subdivision (b) of this [33.16], the facility may accordingly deny access to all or part of the record and may grant access to a prepared summary of the record." 30 Under the current structure of the uploading/disclosure to the RHIO of the entire medical record of the patient and the subsequent download/redisclosure of that medical record from the RHIO to a provider organization, it does not appear that there can be accommodations made for either the showing of a "demonstrable need for the information" or the determination that such disclosure would not "reasonably be expected to be detrimental to the patient as required by New York Mental Hygiene Law Section 33.13(c)(7). There is no opportunity for a practitioner to make a determination as to whether the disclosure would be detrimental to the patient or to deny access to the requesting party, regardless of the patient consent. Finally, Mental Hygiene Law 13.13 (f) states that "any disclosure made pursuant to [Section 13.13] shall be limited to that information necessary in light of the reason for the disclosure." 31 The current structure of uploading/disclosing the entire medical record to a RHIO with a subsequent downloading/redisclosure of such patient s information does not allow for a determination of the amount of information that should be disclosed. There is no gradation or determination of necessary limitations with respect to the extent of disclosed information. HIPAA Protections for Psychotherapy Notes Psychotherapy notes are afforded special privacy protection under HIPAA. 32 Psychotherapy notes are defined as the information recorded by a provider who is a mental health professional that document the contents of conversation during a private (OMH), both inpatient and outpatient, are permitted to share clinical information among themselves for treatment purposes; and (ii) Programs responsible for providing non-licensed mental health services according to an approved local or unified services plan or pursuant to an agreement with OMH are also able to disclose information for treatment purposes. This would include programs which receive funding from OMH disbursed via a State Aid letter. Mental Hygiene Law 33.13 further states that information shared should be limited to that which is necessary in light of the reason for disclosure and information obtained should also be kept confidential and not be re-disclosed to another party unless it would also be permitted under the Mental Hygiene Law. 30 Mental Hygiene Law 33.16 (c) (3) (emphasis added). 31 Mental Hygiene Law 13.13 (f) (emphasis added). 32 45 CFR 164.508(a)(2). 14

counseling session or a group, joint or family counseling session and that are separated from the rest of the individual s medical record. Excluded from psychotherapy notes are medication prescription and monitoring, counseling session start and stop times, results of clinical tests, and summary of any of the following: diagnosis, functional status, treatment plan, symptoms, prognosis and progress to date. 33 Under the HIPAA privacy rules, generally consent is not required for the disclosure of protected health information for payment, treatment or healthcare operations. However, when PHI includes psychotherapy notes, authorization is required. There are a few instances where psychotherapy notes can be disclosed without consent or authorization. 34 This includes instances where: 1. The originator of the psychotherapy notes uses them for treatment; 2. The covered entity uses or discloses the notes in training programs in which students, trainees, or practitioners in mental health learn under supervision to practice or improve their skills in group, joint, family, or individual counseling; or 3. The covered entity uses or discloses the notes to defend a legal action or other proceeding brought by the individual. Under New York Mental Hygiene Law, consent is required for the disclosure of medical information except in certain instances. (See exceptions from 33.13(d) listed above). When consent is required demonstrable need for the information must be shown by the third parties requesting disclosure of psychotherapy notes. It must also be shown that disclosure will not be a detriment to the client, patient or another. 35 Example of Issue Presented by Gap in Law Patient suffered from a mental illness and had a brief stay at Mental Health Center, a RHIO participant. Patient was also treated for a sore throat during the three week stay at the center. At that time Patient s health information was uploaded to the RHIO without the Patient s written consent. Two months later Patient reported to Hospital after suffering from shortness of breath. Because the hospital was a member of a RHIO and Patient had previously signed 33 45 CFR 164.508(a)(2) 34 Id. 35 Mental Hygiene Law 33.13(c)(7). 15

a consent to allow Hospital to download Patient s medical record, Hospital was able to access Patient s medical records, which included not only the treatment she received for the sore throat while at the Mental Health Center but also Patient s prior mental health treatment. This included diagnosis and medication received. Patient was upset and embarrassed that her mental health treatment history was disclosed and is now reluctant to seek medical care as a result. It is unclear in the application of New York law whether either the upload to the RHIO or the download from the RHIO of the prior mental health treatment is a violation of Mental Hygiene Law 13.13(f) because the information disclosed was not limited to such information necessary for treatment. The current structure of uploading/disclosing the entire medical record to a RHIO with a subsequent downloading/redisclosure of such patient s information does not allow for the determination of the amount of information that should be disclosed. VI. GENETIC INFORMATION Issue 5: New York law needs clarification regarding the application of New York Civil Rights Law 79-L and the transmission of records of genetic tests. Gap Analysis There is a lack of clarity with respect to how findings and results from genetic tests that may reveal a predisposition to a genetic disease or disability may be uploaded to and downloaded from a RHIO. Current New York Law State law provides that all records of genetic tests 36 are confidential and cannot be disclosed unless authorized by the individual subject of such test. 37 This authorization must be specific. A generalized consent is not adequate. 38 In practice, authorization will take the form of a written consent: "All records, findings and results of any genetic tests performed on any person shall be deemed confidential and shall not be disclosed without the written informed consent of the person to whom such genetic test relates. This information shall not be released to any person or organization not specifically authorized by the individual subject of the test. 39 36 Genetic tests are defined as laboratory tests on human DNA, chromosomes, genes, or gene products to diagnose the presence of a genetic variation linked to a predisposition to a genetic disease or disability. See New York Civil Rights Law 79-L(1)(a). 37 New York Civil Rights Law 79- L(3). 38 Id. 39 Id. 16

Therefore, if a healthcare provider requests an electronic health record from a RHIO and such electronic health record contains results of a genetic test, such genetic test information may only be disclosed to such requesting healthcare provider if the requesting health care provider is listed on the written consent of the individual subject of the genetic test. It is unclear how this should work with respect to a RHIO. Example of Issue Presented by Gap in Law As part of Patient A's prenatal doctor visits, genetic testing is conducted on Patient A to determine her and her child's genetic predisposition to certain diseases and disabilities. The genetic tests reveal that Patient A is predisposed to certain type of cancer. The treating physician uploads all of Patient A's medical records to a RHIO. Three years later Patient A is being treated by a different doctor for back pain. The second doctor obtains a consent from Patient A to download her electronic medical record from the RHIO. On review of Patient A's medical record he discusses with her the possibility that her back pain may originate from cancer to which she is predisposed pursuant to her genetic tests she had received three years prior. Patient A is outraged that her predisposition to cancer has been uploaded into the RHIO without her consent. Moreover, this may also open the disclosing health care provider to liability for violating the confidentiality provisions of 79-L. VII. ABORTION RECORDS Issue 6: New York Law needs clarification regarding the utilization of RHIOs in the transmission of abortion records in light of patients statutory right to specifically consent to disclosure of abortion records. Gap Analysis Additional privacy protections are in place for sensitive medical subjects, such as abortion records. However, these additional procedures are not sufficiently specified to the functionality of an EHR system. New York needs to clarify practices and procedures relating to the use of abortion records across the multiple steps of the EHR collection process and use in specific situations, such as emergencies. Current New York Law In New York State, medical records dealing with abortion are subject to more stringent confidentiality laws than other medical information. For minors, medical records concerning abortion cannot be released even to the infant s parent or guardian. 40 Additionally, under General Business Law 394-e, reports dealing with abortion services cannot be disclosed, absent certain exceptions, without the [authorization] in writing by the subject of such report (General Business Law 394-e1c). Furthermore, upon any 40 New York Public Health Law 17. 17